COMPLIANCE BRIEFING: BLOG

Recent research has shown that UK companies are struggling to get ready for the new General Data Protection Regulation (GDPR) in key areas such as the management of personally identifiable information and data breaches. For example, only 40% of companies check on every occasion whether a customer has given permission for records to move between data processors, and only 21% claim to have processes that allow them to remove data without delay from live systems and backups as required under articles 16 and 17 of GDPR.

The survey which was conducted by Vanson Bourne across 500 IT Decision Makers for WinMagic, also found when looking specifically at data breaches that only 37% of UK companies are completely confident that they can report data breaches within 72 hours of discovery to the authorities. Companies also admitted they cannot easily identify the data obtained in a breach. As few as a quarter (27%) are completely confident that they could precisely identify the data that had been exposed in a breach.

With this in mind and only a little time left for you to prepare for GDPR, here are our tips to help ensure you consider some key areas of compliance with GDPR.Rethink data consentThe era of assumption is over when it comes to citizens’ consent for data use and disclosure. Evaluate all your current consent forms and processes to ensure that consent is both voluntary and explicit with regard to the scope and consequences of data processing. You need to obtain or empower “a statement or a clear affirmative action” and essentially ensure that consent can be withdrawn as easily as it is given – something many companies fall down on.Be thorough in your investigations Assess what, where and how EU resident personal data is stored, processed and transferred within and outside your organisation’s structure. Check every department from marketing to HR, legal and IT. Personal data includes “any information relating to an identified or identifiable natural person”. That means names, passwords, ID numbers, location data, online identifiers or any data relating to physical, physiological, genetic, mental, economic, cultural or social identity. It is essential to examine everything as ‘personal data’ covers a very wide area of what might be stored and processed on your systems.Go minimalIn the age of Big Data, it is important to adopt the “less is more” principle when it comes to personal information. The GDPR states that “Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.” Adopting an ongoing data minimisation approach is not only best practice, it’s GDPR-mandated. That also includes techniques such as pseudonymisation and anonymisation, as well as implementing foundational security measures like encryption which together, can dramatically reduce risk.Understand citizen rights as well as your responsibilitiesEU residents will have a greatly expanded set of rights, post EU GDPR. You need to honestly assess your ability to respond to requests within one month, with a maximum extension of two months. These reinforced rights include: the right to access data, to rectify or erase data, to restrict data processing, to data portability and to object to data processing. This will require a rethink across processes, staff training, technology and an intelligent approach to backup and disaster recovery, ensuring that personal data wherever it is stored can be identified and accessed relatively quickly.Avoid awkward breach notifications72 hours is the upper time limit for notifying your Supervisory Authority of a personal data breach. If the breach presents a risk to the rights and freedoms of EU residents, you also need to notify all affected individuals. However, if your data in encrypted and rendered “unintelligible to any person who is not authorised to access it,” then your organisation is not required to inform all affected individuals. Often organisations use encryption to protect data such as credit card details, or passwords, but stop there. All organisations should take the attitude that if they hold data that is either commercially sensitive or falls under the category of personally identifiable information (as defined by EU GDPR), and they don’t want it getting into the public domain, then it should be encrypted when ‘at rest’. It is the last line of defence against a data breach.The proof is in the compliance puddingJust being compliant isn’t enough; you need to prove it. That means establishing a clear framework for accountability and compliance. Do your core activities include large scale data processing? If so, you’ll need to have a designated Data Protection Officer on board too, both monitoring compliance and being a single point of contact for the Supervisory Authority in your country, for example the Information Commissioners Office in the UK. As part of the this process it would be prudent to periodically conduct a Data Protection Impact Assessment, determining the impact of data processing operations on data privacy.Be proactive about process designYou’re required to put in place “appropriate technical and organisational measures” to safeguard personal data and minimise data collection, processing, and storage. Whilst the wording may be intentionally imprecise, it does come with very definite risk, given the fines for non-compliance. You must place yourself in the mind of the regulator and question whether they could deem your security measures as falling short of their interpretation of “appropriate”? Do this proactively, hunting out the gaps, or weaker process areas, so that they can be improved.

You may find that you are better prepared to deal with GDPR than you think, but don’t delay the assessment of your processes and systems. Regardless of your company’s size, if you hold data on EU citizens or intend to trade with them then you will be affected. Don’t be fooled into thinking Brexit makes a difference either, you will need to be compliant and can be hit by the full force of the regulation’s fines regardless.